Is it possible to use coffee machines and stay safe from hackers?

Kaspersky Lab issued a report that warns users of the possible risks when facing with connected coffee machines and other wireless-enabled home devices.

The paradigm of the Internet of Things has dramatically enlarged our surface of attack, smart devices surrounding us are a privileged target for cyber criminals. What about your coffee machine? The coffee machines could become the entry point in your network, exactly as described in the past for smart kettles, hackers could hack them to gain access to violate your privacy.

Also in this case, the coffee machines could be controlled via a mobile app, you can have a steaming coffee by starting the device remotely. Clearly, the presence of a flaw could in the way the app exchange information with the coffee machine could open the doors to the hackers. The attackers could exploit the flaw to steal your WiFi password and sniff data in transit in your network.

Security experts at Kaspersky Lab issued a report that warns users of the possible risks when facing with connected coffee machines, and more in general, one of four wireless-enabled home devices analyzed by the experts.

The researchers analyzed four devices that are familiar to many users:

a USB-dongle for video streaming (Google Chromecast);

a smartphone-controlled IP camera;

a smartphone-controlled coffee maker; and

a home security system, also smartphone-controlled.

The experts discovered a number of vulnerabilities of varying severity, honestly some of them very difficult to exploit due to the necessary condition that must be satisfied to launch the hack.

When a connected coffee machine is turned on it opens a non-encrypted hotspot and listens to UPNP traffic. On the client side, the smartphone running the mobile app provided by the vendor of the coffee machines connects to the hotspot and sends a broadcast UDP request searching for UPNP devices. The Coffee machine establish the communication with the app exchanging several data including the SSID and the password to the home wireless network, unfortunately they are in clear text.

“As our coffee machine is such a device, it responds to this request. After that a short communication containing the SSID and the password to the home wireless network, among other things, is sent from the smartphone to the device.” states the report. “This is where we detected a problem. Although the password is sent in encrypted form, the components of the encryption key are sent through an open, non-protected channel. These components are the coffee machine’s Ethernet address and some other unique credentials. Using these components, the encryption key is generated in the smartphone. The password to the home network is encrypted with this key using 128-bit AES, and sent in base64 form to the coffee machine. In the coffee machine, the key is also generated using these components, and the password can be decrypted. Then, the coffee machine connects to the home wireless network and ceases to be a hotspot until it is reset. From this moment on, the coffee machine is only accessible via the home wireless network. But it doesn’t matter, as by then the password is already compromised.”

In order to hack the coffee machines, the attackers would need to know exactly when the owner install them and be physically near the IoT device in a way to intercept the password. Clearly this scenario is not so easy to implement.

Kaspersky reported the security issued to the vendor of the coffee machines, which has acknowledged them and provided the experts with the following statement:

“Both user experience and security are extremely important to us and we continually strive to strike the right balance between the two. The actual risks associated with the vulnerabilities you mentioned during set-up are extremely low. In order to gain access, a hacker would have to be physically within the radius of the home network at the exact time of set-up, which is a window of only a few minutes. In other words, a hacker would have to specifically target a smart coffee maker user and be around at the exact point of set-up, which is extremely unlikely. Because of this, we do not believe the potential vulnerabilities justify the significant negative impacts it will have on user experience if we make the suggested changes. Though no definite plans to change our set-up procedure are in the works, we are constantly reevaluating and wouldn’t hesitate to make changes if risks become more significant. Should something change in the near future we will let you know.”

I partially agree with the above statement, anyway I remark the need to approach IoT paradigm with security by design.

To read the results of the tests executed on the other IoT devices give a look to the report.

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This site uses cookies, including for analytics, personalization, and advertising purposes. For more information or to change your cookie settings, click here.

If you continue to browse this site without changing your cookie settings, you agree to this use.AcceptRead More

Privacy and Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.